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POST-IMAGE TECHNIQUES 

This application is a continuation-in-part of U.S. Patent Application Serial No. 09/028,415, 
filed February 24, 1998, entitled Post-image Techniques. 

FIELD OF THE INVENTION 
The present invention relates to a technique for deriving properties of a control system, 
and more especially to a technique for deriving properties of a hardware system using a model of 
the system. 

DESCRIPTION OF THE PRIOR ART 
When seeking to derive the properties of a system on the basis of known transition 
functions of the system and all of the possible starting states, it is known to use so-called "post- 
image" techniques to derive the reachable states of the system. A known set of initial states is 
selected and the post-image of that initial set is formed to provide a first reachable set. The first 
reachable set is compared to the known set of reachable states and, if the known set does not 
comprise the first reachable set, a new set of known reachable states is formed comprising the 
combination of the set of reachable states and the first reachable set. If however the known set of 
reachable states comprises the first reachable set, the set of reachable states is determined to be 
an invariant of the system, and computation ceases. 

Where the system model is a set of transition fimctions, it would be considerably more 
efficient to produce the so-called "pre-image" of a set of states than it would be to produce the 
post-image. In simple terms, where each of several inputs to a system causes one of a set of 
outputs, a worst case for testing which input provided one particular output of interest would 
require all of the inputs to be applied in turn before it was possible to identify the input that gave 
rise to the particular output. 

SUMMARY OF THE INVENTION 
According to one aspect, the present invention derives transition functions for a reverse 
machine, i.e., a machine such that the post-image of the reverse machine will be the pre-image of 
the original system. The described novel technique has a large number of applications such as 
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deriving properties of a control system using a model of the system, or deriving properties of a 
hardv^are system using a model of the system. The described novel technique may specifically 
be used for testing electronic circuits, testing logic circuits, including microprocessors. 

According to another aspect, a method of calculating the post-image in a system includes 
forming a reverse model of the system, and calculating the pre-image in the reverse model, 
wherein the pre-image in the reverse model is equivalent to the post-image in the system. 
Preferably, the reverse model may be formed v^ithout knowing input states and the corresponding 
outputs states of the system. The formation of the reverse model may include transforming a 
transition function of the system into a constraint on the reverse model, and applying a 
parameterization of the constraint to all transitions of the reverse model. 

According to yet another aspect, a method of synthesizing a reverse model of a system 
includes transforming a transition function of the system into a constraint on the reverse model, 
and applying a parameterization of the constraint to all transitions of the reverse model. 

According to yet another aspect, a device for synthesizing a reverse model of a system 
includes a first store (a first memory), a second store (a second memory), and a processing 
system. The first store is constructed and arranged to store bits representative of transition 
functions of the system. The second store is constructed and arranged to store bits representative 
of an estimate of transition functions of the reverse model. The processing system includes 
logical device and a parametrization processor. The logical device is constructed and arranged to 
transform the transition functions of the system into constraints on the reverse model. The 
parameterization processor is arranged to apply a parameterization of the constraints to the 
estimate of transition functions of the reverse system to form transition functions of the reverse 
model. 

According to yet another aspect, a device for synthesizing a reverse model of a system 
includes a first means for storing bits representative of transition functions of the system; a 
second means storing bits representative of an estimate of transition functions of the reverse 
model; and processing means. The processing means include a logical means for transforming 
the transition functions of the system into constraints on the reverse model; and a 
parameterization means for applying a parameterization of the constraints to the estimate of 
transition functions of the reverse system to form transition functions of the reverse model. 
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According to yet another aspect, a device for calculating the post-image in a system 
includes a third store (a third memory), a fourth store (a fourth memory), and a logical device. 
The third store is constructed and arranged to store bits representative of transition functions of a 
reverse model of the system. The fourth store is constructed and arranged to store bits 
representative of a set of states of the system. The logical device is constructed and arranged to 
substitute the state variables of the reverse model by the transition functions of the reverse model 
to provide a new set of states representing the pre-image of the reverse model, and thus provide 
the post-knage in the system. 

Preferably, the device of this aspect further comprises a first store constructed and 
arranged to store bits representative of transition functions of the system, and a second store 
constructed and arranged to store bits representative of an estunate of transition functions of the 
reverse model. The logical device is constructed and arranged to store transforming the 
transition functions of the system into constraints on the reverse models. The parameterization 
device is constructed and arranged to store applymg a parameterization of the constraints to the 
estimate of transition functions of the reverse system to form transition functions of the reverse 
model. 

Preferably, the estimate of transition functions of the reverse model comprises previous 
state variables of the system. 

According to yet another aspect, a device for calculating the post-image in a system 
includes a third means for storing bits representative of transition fimctions of a reverse model of 
the system; a fourth means for storing bits representative of a set of states of the system; and 
logical means for substituting the state variables of the reverse model by the transition functions 
of the reverse model to provide a new set of states representing the pre-image of the reverse 
model, and thus provide the post-image in the system. 

BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 shows a two bit counter as a finite state machine. 
Figure 2 shows a schematic diagram of a system for proving the properties of the 

hardware system. 

Figure 3 shows a conceptual flow diagram of a present technique. 
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In the figures, like reference numerals refer to like parts. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 
In this example, a two bit counter is used to demonstrate a technique for modeling a 
reverse machine. It will be clear to one skilled in the art that if the real machine is a conventional 
counter which counts up, then the reverse machine will be a machine which counts down. 

It will also be clear to one skilled in the art that for the simplified examples selected here, 
properties would normally be proved by using only a pre-image calculation. Post-image 
calculation could be used for example to calculate the set of reachable states, namely all states 
which could be reached by a particular machine. In this situation, a typical method would be to 
start with a set of initial states, calculate the post-image and add the states resulting in the post- 
image to the original set. This would then be repeated until no new states were found and the 
resultant would be the set of reachable states. 

Although it will be clear to one skilled in the art that for a two bit counter have states 
(0,0), (0,1), (1,0) and (1,1) the set of reachable states would comprise the set of all these states, 
the following description gives an example of the construction of a reverse machine which 
enables the use of pre-image calculation on that reverse machine to prove this. 

Referring to Figure 1, a two bit counter has four states SO, SI, S2 and S3. The transition 
from SO to SI is TOl the transition from state SI to state S2 is T12, the transition from S2 to S3 
is T23 and the transition from S3 to SO is T30. 

At state SO, the bits of the counter are both equal to zero (i.e. bO=0 and bl=0, where bO is 
the least significant bit and bl is the most significant bit). In state SI, the counter has bO=l and 
bl=0, in state S2 bO-0 and bl=l, and in state S3 bl=l and bO-1 

The state transition fimctions are formed as follows: 

1 . For the least significant bit, a transition from one state to the next causes the least 
significant bit to be inverted, i.e. 

bO = NOT bO. 

2. For the most significant bit, this has a value of logic 1, i.e. true where the previous state 
is SI or S2. For SI, bO is true and bl is false and for S2 bO is false and bl is true. Thus, 
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bl=(NOT bO AND bl) OR (bO AND NOT bl). 

As applied to this counter, an example of the use of the invention is to prove that only a 
transition from state SI can directly result in state S2. 

The invention accordingly provides a method and apparatus for synthesizing a reverse 
model of a finite state machine. This will be demonstrated using the finite state machine shown 
in Figure 1, i-^. synthesizing a reverse counter. 

To do this, it is first necessary to note that for a reverse machine, transitions would take 
place in the reverse direction to those shown in Figure 1. Thus, for the reverse machine, the next 
state of that reverse machine is in fact the previous state of the real machine. Thus, after a 
transition from bO in the reverse machine, the resuh is a new value equal to bO' and a transition 
in the reverse machine from bl results in a new value of bl' where the notation " ' " indicates the 
previous state of the real machine. 

Applying the transition fimctions of the real state machine to the transitions of the reverse 
machine to form constraints: 

bO=NOT bO' 

bl = (NOT bO' AND bF) OR (bO' AND NOT bl') 

From our British Application No 9624935.4, which is incorporated by reference as if 
fully set forth herein, it was shown that if a constraint is given by 

(NOT I AND TO) OR (I AND Tl) (3) 
where I is an input and neither TO nor Tl depend on I, then I can be generated by 
parameterization of this equation to provide a new input J which satisfies the relation 

I - (NOT J AND NOT TO) OR (J AND Tl) (4) 

An equation for bO' is now generated using the constraint (1) and the parameterization 
technique SO that: 

bO' - (NOT bO" AND NOT [bO=l]) OR bO" AND [bO-O]) 



(1) 
(2) 
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= NOT bO 



Substituting this equation in constraint (2) gives: 

bl (bO AND br ) OR (NOT bO AND NOT bl ') or, equivalently:- 
(br ) AND [bO-bl]) OR (NOT bl ' AND NOT [bO=bl]) 

By using this equation, an equation for bl' can be generated by the parameterization 
technique, whereby:- 

br = (NOT bill AND [bO=bl]) OR (bl' ' AND [bO=bl]) thus bl' - [bO-bl] 

The transitions of the reverse machine are now such that the value of bO on the next cycle 
is calculated as NOT bO and the value of bl on the next cycle is calculated as bO=bl . 

By substituting in the relationship (3) above: 
bl ' = (bO AND bl) or (NOT bO AND NOT bl). 

Thus, the transition functions for the reverse machine give the foUov^ing relationships:- 
For bit 0:- After a transition in the forward direction for the reverse machine, the new value of bit 
0 will be true if the starting value of bit 0 were false. 

In the context of the real machine, as has previously been explained, a forward transition 
of the reverse machine is identical to a reverse transition of the real machine. Thus, the above can 
be restated as:- 

The previous value of the bit 0 of the real machine is true if he present value of bit 0 of 
the real machine is false. 

For bit 1 :- Using the bit 0 relationship above: the previous value of bit 1 for the real machine is 
true if the present bit 0 and the present bit 1 are both true or if the present value of bit 0 and the 
present value of bit 1 are both false. 

More generally, in a model checker based on the transition relation, the formula for the 
calculation of the post-image of a set of states is very similar to the formula for the calculation of 
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the pre-image (pre(X) - 3S': X[S:=S'] & R and Post(X) = ( 3S: X & R) [S':-S]), where the 
following notation appUes:- 

X[V:=E] substitutes the expressions E for the variables V in the predicate (X). 

3V:X existential quantification of the variables V in the predicate X. 

However, in a model checker based on transition functions, the post-image formula is 
complicated and difficult to implement efficiently. This section will show how to provide 
transition functions for the reverse machine (i.e. one in which transitions go from the current 
state to the previous state), and therefore the pre-image of the reverse system will be the 
post-image of the original system. 

Let the state variables and transition functions of the machine be S' and T (observation 
functions are not considered), then the reverse system is constructed as follows. First note that S' 
(the next-state variables of the reverse system) correspond to the previous states of the original 
system. Beginning with the transitions of the reverse system being T', the transition functions of 
the original system are used to constrain them. Thus, for each state S' and transition t, there is a 
constraint S t[S: =S']. Call the set of constraints C. For each constraint, the parameterization 
E over the variables S', is calculated and this is substituted in the transition functions and the 
remaining constraints. 

The parameterization is an idempotent parameterization i.e. a parameterization which 
after being affected, leaves the relationship entirely unaltered. 

Referring to Figure 2, a first store (memory) 100 stores bits representative of transition 
functions of a system. A second store 200 stores bits representative of estimated transition 
function of a reverse model of said system, the estimate being derived from knowledge of the 
next-state variables of the reverse system, which of course correspond to the previous state 
variables of the original system. A third store 300 stores bits representative of the set of state 
variables of the system, which necessarily is also the set of state variables of the reverse model 

A processor 400 has a logical transforming device 410 which receives the transition 
functions of the real machine from the first store 100 and transforms the transition functions into 
constraints on the reverse model The processor further has a parameterization processing device 
420 for calculating for each constraint the parameterization over the variables of the reverse 



7 



machine which are then applied to the estimated transition functions of the reverse machine in 
applying means 430. The applying means 430 provides an output to a fourth store 500 which 
stores the actual transition functions of the reverse model. 

A processor 400 further includes a forming device 440 which receives the state variables 
of the real/reverse models from the third store 300 and also receives the transition functions of 
the reverse machine from the fourth store 500 and acts to substitute the state variables of the 
reverse machine with the transition functions of the reverse machine to provide a new set of 
states which represent the pre-image of the reverse system thus the post-image of the second 
system. This data is stored in fifth store 600. 

Referring to Figure 3, the method of the invention, as described above, involves forming 
a model of the reverse machine and then applying as inputs to the model of the reverse machine, 
outputs of the real machine so as to determine what inputs in the real machine could give rise to 
those outputs. It is therefore necessary to provide an accurate model of the reverse machine and 
this part of the inventive method is shown in Figure 3 . 

Referring to Figure 3, a complete description of the real machine 1000 is accessed and 
processed to extract the state transitions 1002 using a processing engine 1001. A second 
processing engine 1003 also accesses the description 1000 to provide the transition functions 
1004 of the real machine. A farther processing stage 1005 reverses the transitions of the real 
machine to provide an output 1006 of reverse transitions. The transition functions in box 1004 
are processed 1007 to as to transform the transition functions of the real machine into constraints 
and a parameterization of the constraints is applied in stage 1008 to each and all of the reverse 
transitions to thereby form the model of the reverse machine 1010. As reported above, by 
applying the outputs of the real machine as inputs to the model of the reverse machine, the inputs 
to the real machine can be discovered. 

The described method and device has a large number of applications such as deriving 
properties of a control system using a model of the system or deriving properties of a hardware 
system using a model of the system. The described novel technique may specifically be used for 
testing electronic circuits, testing logic circuits, including microprocessors. In general, the 
described method and device can be used for testing any mechanistic system in which states 
occur and transitions between the states occur on a clocked or a time-dependent basis. 
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The above description is of preferred and exemplary embodiment(s) of the present 
invention only and is to enable a full understanding of the invention while not intending to limit 
the invention. The scope of the invention can be ascertained from the following claims: 
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1 . A method of synthesizing a reverse model of a control system comprising:- 
transforming a transition function of the control system into a constraint on the reverse 
model; and 

applying a parameterization of said constraint to all transitions of the reverse model 

2. A method of synthesizing a reverse model of an electronic circuit, the method 
comprising: 

transforming a transition function of said electronic circuit into a constraint on the reverse 
model; and 

applying a parameterization of said constraint to all transitions of the reverse model. 

3. The method as claimed in claim 2 wherein said electronic circuit includes a logic 
circuits. 

4. The method as claimed in claim 2 wherein said electronic circuit includes a 
microprocessor. 

5. A method of calculating the post-image in a control system, the method 
comprising: 

forming a reverse model of said control system; and 

calculating the pre-image in said reverse model, wherein the pre-image in said reverse 
model is equivalent to the post-image in said control system. 

6. The method of claim 5 further comprising identifying from a characterization of a 
model of said control system, transitions of said control system and reversing said transitions to 
form potential transitions of a reverse model 

7. The method of claim 5 and further comprising extracting from a characterization 
of a model of said control system, transition functions of said control system. 
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8. A method of calculating the post-image in an electronic circuit, the method 
comprising: 

forming a reverse model of said electronic circuit; and 

calculating the pre-image in said reverse model, wherein the pre-image in said reverse 
model is equivalent to the post-image in said electronic circuit. 

9. The method as claimed in claim 8 vs^herein said electronic circuit includes a logic 
circuits. 

10. The method as claimed in claim 8 wherein said electronic circuit includes a 
microprocessor. 

1 1 . The method of claim 8 further comprising identifying from a characterization of a 
model of said electronic circuit, transitions of said electronic circuit and reversing said transitions 
to form potential transitions of a reverse model. 

12. The method of claim 8 and further comprising extracting from a characterization 
of a model of said electronic circuit, transition functions of said electronic circuit. 

13. A device for synthesizing a reverse model of an electronic circuit, the device 
comprising: 

a first store storing bits representative of transition functions of said electronic circuit; 
a second store storing bits representative of an estimate of transition functions of said 
reverse model; and 

a processing system comprising 

a logical device for transforming said transition functions of said electronic circuit 
into constraints on said reverse model; and 

a parameterization processor for applying a parameterization of said constraints to 
said estimate of transition functions of said reverse system to form transition functions of said 
reverse model. 
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14. A device for calculating the post-image in an electronic circuit comprising: 

a third store storing bits representative of transition functions of a reverse model of said 
electronic circuit; 

a fourth store storing bits representative of a set of states of said electronic circuit; and 
a forming device substituting the state variables of the reverse model by the transition 
functions of the reverse model to provide a new set of states representing the pre-image of said 
reverse model, and thus provide the post-image in said electronic circuit. 

15. A device as claimed in claim 14 further comprising a first store storing bits 
representative of transition functions of said electronic circuit; 

a second store storing bits representative of an estimate of transition functions of said 
reverse model; 

a logical device for transforming said transition functions of said electronic circuit into 
constraints on said reverse models; and 

a parameterization processor for applying a parameterization of said constraints to said 
estimate of transition functions of the reverse system to form transition functions of said reverse 
model. 

16. A device as claimed in claim 13 wherein said estimate of transition functions of 
said reverse model comprises previous state variables of said electronic circuit. 

17. A device as claimed in claim 15 wherein said estimate of transition functions of 
said reverse model comprises previous state variables of said electronic circuit. 

18. The device as claimed in claim 13 wherein said electronic circuit includes a logic 
circuits. 

19. The device as claimed in claim 13 wherein said electronic circuit includes a 
microprocessor. 
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20. The device as claimed in claim 14 wherein said electronic circuit includes a logic 
circuits. 

21 . The device as claimed in claim 14 wherein said electronic circuit includes a 
microprocessor. 
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POST IMAGE TECHNIQUES 
ABSTRACT 

A device for synthesizing a reverse model of a system includes a first store storing bits 
representative of transition functions of the system, a second store storing bits representative of an 
estimate of transition functions of the reverse model, and processing system. The processing system 
comprises a logical device for transforming the transition functions of the system into constraints on 
the reverse model, and a parameterization processor for applying a parameterization of the 
constraints to the estimate of transition functions of reverse system to form transition functions of the 
reverse model 
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manner provided by the first paragraph of Title 35, United States Code, §112, I acknowledge the 
duty to disclose material information as defined in Title 37, Code of Federal Regulations, §1.56 
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which became available between the filing date of the prior application and the national or PCT 
International filing date of this application: 

09/028,415 February 24, 1998 Pending 

(Application No.) (filing date) (status-patented, pending, abandoned) 



PCT International Applications designating the United States: 



(PCT Appl. No.) (U.S. Ser. No.) {PCT filing date) (status-patented, pending, abandoned) 

I hereby appoint the following attorney (s) and/or agent (s) to prosecute this application and to 
transact all business in the Patent and Trademark Office connected therewith: 



David Wolf 


17, 


528 


Peter J. Gordon 


35,164 


Robert A. Skrivanek, 


Jr. 


41,316 


George L. Greenfield 


17, 


756 


Randy J. Pritzker 


35,986 


Robert M. Abrahamsen 




40,886 


Stanley Sacks 


19, 


900 


Richard F. Giunta 


36,149 


Ivan D. Zitkovsky 




37,482 


Edward F. Perlman 


28, 


105 


Douglas R. Wolf 


36,971 


Michele J. Young 




43,299 


Lawrence M. Green 


29, 


384 


Elizabeth R. Plumer 


36, 637 


Edward J. Rus savage 




43,069 


Steven J. Henry 


27, 


900 


Timothy J. Oyer 


36, 628 


Alan B. Sherr 




42,147 


Therese A. Hendricks 


30,389 


John N. Anastasi 


37,765 


John C. Gorecki 




38,471 


Edward R. Gates 


31, 


616 


Helen C. Lockhart 


39,248 


William G. Gosz 




27,787 


William R. McClellan 


29, 


409 


James M. Hani fin, Jr. 


39,213 


Neil P. Ferraro 




39,188 


Ronald J. Kransdorf 


20, 


004 


Christopher S, Schuitz 


37, 929 


Julie A. Beberman 




40, 906 


M. Lawrence Oliverio 


30, 


915 


Paul D. Sorkin 


39,039 


Lisa E. Winsor 




44,405 


Jason M. Honeyman 


31, 


624 


John R, Van 2\msterdam 


40,212 


Mark Steinberg 




40,829 


James H. Morris 


34, 


681 


Matthew B. Lowrie 


38,228 


Stephen R. Finch 




42,534 


Peter C. Lando 


34, 


654 


Michael G. Verga 


39,410 


Joseph Teja, Jr. 


P- 


-45,157 


Gary S. Engelson 


35, 


128 


Robert E. Rigby, Jr. 


36, 904 


Alan W. Steele 


P- 


-45,128 



Address all telephone calls to James H. Morris at telephone no. (617) 720-3500. Address all 
correspondence to: 

James H. Morris 
c/o Wolf, Greenfield & Sacks, P.C., 
Federal Reserve Plaza 

600 Atlantic Avenue 
Boston, MA 02210-2211 

I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States 
Code and that such willful false statements may jeopardize the validity of the application or any 
patent issued thereon. 



Inventor's signature Date 
Full name of sole or first inventor Geoff BARRETT 
Citizenship British 

Residence (City and State, or City and Country for non-U. S. residence) 

Bristol, England 
Post Office Address 

28 Devonshire Road, Westbury Park, Bristol BS6 7NJ, England 
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